Security

Overview

JJInfinity is built on ASP.NET Core security primitives and adds platform-level controls for reverse proxy routing, auditing, and access governance.

This page summarizes the default security posture.

Core principles

Least privilege

Authenticated users do not receive broad access by default. Access must be explicitly granted via roles, claims, or policies.

Password hashing and credential safety

Passwords are stored as salted hashes and cannot be reversed to plain text.

Account lockout

Accounts are temporarily locked after repeated failed login attempts to reduce brute-force risk.

Two-factor authentication (2FA)

JJInfinity supports second-factor flows to strengthen account protection.

Role and claim authorization

Views and APIs validate authorization before executing protected operations.

Anti-forgery validation

State-changing POST operations require anti-forgery protection to mitigate CSRF attacks.

Secure cookies

Authentication cookies are configured with secure attributes such as HttpOnly, Secure, and SameSite.

Data Protection API

Authentication and recovery tokens use ASP.NET Core Data Protection.

User enumeration resistance

Authentication flows use generic failure messages to avoid exposing whether a user exists.

Reverse proxy isolation

YARP is used to expose only intended external routes while keeping internal services isolated.

See Reverse Proxy Overview.

Rate limiting and abuse mitigation

Critical endpoints can enforce request limits by route, user, or IP.

Token expiration

Authentication tokens have controlled lifetimes and must be renewed after expiration.